mrksr Respected Contributor.
Respected Contributor.
876 views

Today I got ArcSight Event (Name=Event Transport Fail Over, Device Event Class ID=agent:051) from a WiNC Connector (Version 7.2.4). Does anybody know what that means?

Unfortunately I can't find any Information this ID.

Labels (1)
0 Likes
3 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Today I got ArcSight Event (Name=Event Transport Fail Over, Device Event Class ID=agent:051) from a WiNC Connector (Version 7.2.4). Does anybody know what that means?

Mmmm, good point, doesnt seem to be in the documentation (usually the agent:0xx messages are in the Console user guide, but this one isnt!). However, from what I understand and best guess is that this is an internal SmartConnector audit message (the agent:0xx refers to a connector message and not say a content manager for example). From there, this is likely to be a fail-over from the primary destination to the secondary one.

There is a capability for a connector to have two destinations and not have the second one active. Basically, should the primary one fail, it will then start sending to the secondary one. While this seems a good idea for say load balancing across the collection layer, its also a bit of a pain because you potentially have incomplete data stores of events (send to a primary ESM and fail-over to a secondary one - the secondary one doesnt have the events before the fail-over - if you see what I mean). Anyway, enough of what the fail-over is....

So my best guess is that you have two destinations on the connector, one is a failover and for some reason the primary one is not available. I would check into the agent.log files and see what the destinations are and if you see a swap over at or around the time of this log getting generated - it might also coincide directly with a lack of log messages from the log source too!

Hope this helps.

0 Likes
mrksr Respected Contributor.
Respected Contributor.

Re: Today I got ArcSight Event (Name=Event Transport Fail Over, Device Event Class ID=agent:051) from a WiNC Connector (Version 7.2.4). Does anybody know what that means?

Thank you Paul!

Could it be, that the connector switched from the Default configuration to the Alternate#1 configuration?

The connector has only one destination and it did not lose any events. However, I found the agent:051 event because the connector did not send ConnectorDeviceStatus events any more (before it send Status every 15 minutes). Restarting the connector service did not change anything.

I managed to convice the connector to send ConnectorDeviceStatus events after changing the Default configuration (I only changed the  ConnectorDeviceStatus Monitoring time Frame from 15 to 5 and back to 15 minutes).

Albeit, the connector is working fine again.

0 Likes
aneeshpskadavil1 Honored Contributor.
Honored Contributor.

Re: Today I got ArcSight Event (Name=Event Transport Fail Over, Device Event Class ID=agent:051) fro

Good Day all , 

Do we have a correct documentation in ArcSight when exactly this issue occurs to understand this issue better. I am seeing this event being generated by few connectors couldn't really identify a clear documentation. None of these connectors are configured with failover destination. If anybody has a clear documentation , it could be really helpful

 

Best Regards

Aneesh

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.